Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ jobs:
release:
name: Release
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.semantic-release.outputs.release_created }}
tag_name: ${{ steps.semantic-release.outputs.tag_name }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -24,19 +27,26 @@ jobs:
with:
go-version: "1.26"

- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

SHA-pin privileged actions in release workflow

.github/workflows/release.yaml mints a GitHub App token and uses it in the same job; the third-party actions are currently referenced by floating tags (not commit SHAs):

  • actions/create-github-app-token@v2
  • googleapis/release-please-action@v4

Pin both to the exact upstream commit SHAs you intend to trust.

🔒 Suggested fix
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@<full-commit-sha>
...
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@<full-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 29-29: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yaml at line 29, The workflow currently references
third-party actions by floating tags; update both actions
(`actions/create-github-app-token@v2` and `googleapis/release-please-action@v4`)
to pin them to the exact commit SHAs you trust by replacing the tag references
with their corresponding commit SHA refs (e.g.,
`actions/create-github-app-token@<commit-sha>` and
`googleapis/release-please-action@<commit-sha>`), ensuring you fetch the
upstream commit SHAs from the official repos and use those SHAs in the workflow.

with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

- name: Release
id: semantic-release
uses: googleapis/release-please-action@v4
with:
release-type: simple
token: ${{ secrets.GH_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Tag Images
if: ${{ steps.semantic-release.outputs.release_created }}
run: |
VERSION=${{ steps.semantic-release.outputs.tag_name }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

build-app:
Comment on lines 50 to 51
name: Build API App
Expand Down
Loading